Jul 27 AT 6:33 PM Clark Wimberly 96 Comments

Could launcher spam become a big problem in the Android Market?

Download LauncherSpam Demo

Today, probably like many of you, I updated the Google Maps application to discover something rather odd. Google Maps is now sporting four separate icons, one of which is a replacement for an existing stand-alone application. The strangeness stuck with me all day and what initially struck me as somewhat odd has now grown into a full-on What were they thinking?!

Before I even get started, let me preface everything I’m about to say with a hearty I can’t believe I’m about to call out Google Maps, one of my favorite and most-used applications of all time. The app and its maps have saved my tail more times than I care to count. Normally it’s a shining beacon of how an app should function on the Android OS. And while four icons might just seem like a missed step, I believe there might be a little more at stake here.

Allowing an application to place multiple icons (and thus, multiple points of entry) is a dangerous game. The Google Maps case is likely the most appropriate use of multiple icons I can imagine. All the icons are completely relevant to the core application and clearly labeled. But what would happen if an app wasn’t playing nicely? Could an unscrupulous app place dozens of hidden applications without my knowledge?

Having flashbacks to the PC days of unwanted add-on toolbars and Bonsai Buddy, I contacted Justin of nEx.Software, our resident Android guru. I asked if he knew of any limit to the number of icons a standard market application could spawn. He said there wasn’t and the idea was born.

Enter LauncherSpam, a quick demo application built in a couple hours that is already live in the Market. The idea behind LauncherSpam is simple. When installed, the app will drop a dozen spammy (although completely harmless) apps into the launcher tray. The apps (all fake) range from spyware scanners to free MP3s to ringtones and even a set of smilies (really channeling the old PC days throwback). Without warning the user, the original LauncherSpam app is able to easily spawn a dozen “hidden apps.”

If only all security risks were so forthcoming

If only all security risks were so forthcoming

Luckily for us, LauncherSpam is just a simple demo. The “hidden apps” are nothing more than silly PNG files cooked up by Angie and myself to make a point. It’s just… weird to us that this ability exists, completely unchecked by application permissions or some kind of user prompt.

If an application you trust (maybe undeservedly) comes side-loaded with a spam add-on, wouldn’t you like to know? With Google Maps, the extra icons aren’t as offensive because I know what they are and with which application they are associated with. With some of the icons you’ll find in your tray after installing LauncherSpam, you won’t be so lucky. For reference (and for fun), I made a complete list of the fake apps side-loaded with LauncherSpam:

  • Free MP3′s
  • Keyboard
  • Kitty Doc
  • LauncherSpam (core app)
  • Lightning Bug
  • Ring Me
  • Smilies
  • Spyware Agent
  • Suspicious Package
  • Tips
  • Tron
  • TweetBox
  • Virus

Most of these titles are applications you wouldn’t even give a second look to, let alone install them. But a standard market app with devious intent has the ability to make it appear that these apps are real, functioning programs on your phone. Even worse, after noticing an offending “hidden app”, the average user would have no real way of knowing which “core app” was the culprit, leading to an awkward pattern of uninstalling and evaluation to find the offending application.

At the time of publication, there doesn’t seem to be too serious a problem with Market apps spamming the launcher tray. And I’d love for it to stay that way, which is why I was so surprised to see Google behaving in such a manner. Google applications are the ruler by which other applications are measured. They are filled with best practices and all kinds of innovation. They set precedents, for better or worse. I don’t want to see less savory developers using these methods for underhanded means and thinking it is acceptable because Google Maps did it.

And now is the part where we let you, the reader, decide. Am I blowing this out of proportion? When I first asked Android users on Twitter today if four icons was too many, most didn’t seem to mind. So I ask What if it wasn’t Google?

LauncherSpam is available now in the Android Market. You can download it by scanning the QR at the top of this post or by clicking here on your device. Remember, to get rid of all the garbage apps, simply uninstall the original LauncherSpam app. The icons used in the test app were from the Crystal Clear set, via Wikimedia Commons

Clark is a developer living in Austin, Texas. He runs ClarkLab, a small web firm with his wife, Angie. He's a big fan of usability, standards, and clean design.

    Most Tweeted This Week

  • http://Website Loxx

    I wish my launcher was organized the same way market is: apps, communication, games etc…

    • http://www.youtube.com/emogamer Christopher Chavez

      Yeah, I have to make folders for that and it bugs me how they’re not even alphabetized or arrangeable within the folder =/

    • http://pro-thoughts.blogspot.com/ vkelman

      @Loxx, it won’t work that way. There are apps which falls under several categories at the same time. So, a good system should be something like labels of Gmail, which allow to assign multiple categories to each app (like you can include the same app into multiple folders right now.)

      • http://Website Robin

        You can use “apps organizer” (free, in the market) for this purpose; you can assign one or more categories to each app and create folder like shortcuts to these categories on your desktop. Some nice features include the ability to change the icon for each category and a backup/restore to/from sd card so you don´t have to assign everything again after you install a new custom rom.

    • http://Website kell

      Combine this on the android app inventor, and soon, we’ll have betters apps on the android store. Android App Inventor Impression

  • http://www.youtube.com/emogamer Christopher Chavez

    HAHA! That’s hilarious! I’m gonna KEEP your guys’ app just because! ;)

    • http://clarklab.net Clark Wimberly

      Which was your favorite?

      • http://www.youtube.com/emogamer Christopher Chavez

        Virus, Spyware Agent and Kettehs! LOL

  • http://createdigitalmusic.com Peter Kirn

    I agree, it’s a problem. I think apps should only be able to load one icon, frankly. Hope someone at Google takes notice.

    Also, I very, very much want that “I am a virus” image as a t-shirt. ;)

    • Nicko01

      What bothers me more than that is when you have to buy a key to upgrade a program to the full version, leaving 2 icons there. I think that’s a bigger problem at the moment. So far, other than Google Maps, I haven’t seen an app that uses multiple icons.

      The icons can be useful though, like shortcuts to different functions within a certain program, as Google shows with Maps. These should be configurable by the user so they can remove the extra shortcut icons if they don’t want or need them.

      • http://Website k

        Mpay “key” apps remove themselves from the launcher after they are opened, though you have to reboot the phone for them to do so. ROM Manager is a good example.

      • http://Website k

        We need a webOS-style launcher.

  • http://Website Dennis McCarthy

    “Could an unscrupulous app place dozens of hidden applications without my knowledge?”

    Short answer: No
    Long answer: Noooooooooooooooooooooooooooooooooooo

    And do people seriously use the app drawer consistently? I open it so few times a day and only ever for the same few apps (benchmarking ones for testing different roms.) More icons widget lets me put any and all of my apps within one of my homescreens, two when I add my widgets.

    I hope google responds to this article as they responded to the LAST one that tried to point out supposed “security flaws” of android.

    • http://Website Dennis McCarthy

      Although I do agree it’s very annoying they did it =p even if it literally does not effect me at all.

    • http://Website Ryan McKay

      just sayin’ I use my app drawer almost for everything. I’m knocked down to three screens a couple widgets and frequent contacts. I prefer to have most of my apps in the drawer instead of on my screens.

    • http://Website Matt

      Wait, are you saying NOOO as in, no I don’t want apps to do this? Because this app does this.

      I also use my drawer everyday. I use SlideScreen and every app that I can’t get from SS, I get in the launcher.

    • http://Website Marc

      Sorry, but “Noooooooooooo” is not any more convincing than “No”

      Are you a Republican or something? … I digress!

      If you “know” that it is not possible for a third party developer to add more than one app or one icon then make your argument; substantiated with some verifiable proof, supporting documentation, or even the cringe-worthy, notorious, and ubiquitous “facts”. A link to a Google Android policy document would surely be a start.

  • http://www.sethbrower.com Seth B

    I have to say, that as someone who can get a bit anal with my organization at times, I think it’s a bit annoying, not quite at the level of a real issue yet, but give it time and possibly.

    Although, this past week I installed LauncherPro, and within this first week of having it on my Nexus One, they have updated it to include a feature to hide non-used apps from the launcher drawer, with a simple selection screen, and to bring them back just as simply if you find you do need them.

    Makes a little bit of cleanup easy, and takes my mind off the apps that I never really use.

    • http://www.youtube.com/emogamer Christopher Chavez

      *keekee* anal *chuckle*

    • http://Website Matt

      Yeah, I was just about to mention that feature of Launcher Pro. If it becomes a real issue I’m sure they’ll eventually add it to the stock launcher.

  • http://www.nexsoftware.net Justin Shapcott

    Its not a security flaw per se, but rather a nuisance and bad practice.

  • http://Website sumyunguy

    I for one, don’t mind it…in THIS case. (and I am pretty sure the only new shortcut is Places)

    I think it is a really GOOD idea in the case of google maps. With the number of new Android users increasing on a steep incline everyday, I am sure there are many of those non-geeky individuals that are not aware of the many facets included within google maps.

    Also why should any user who wants to use Places for instance, have to click on Maps>Menu>Places. Why not just have a shortcut that can take you there? (in fact, I just tried to go Maps>Menu>Places and it isn’t there. Places is a totally separate app, yet integrated into maps.)

    If another app tried this every android review website would report it and we would uninstall it and google would remove it.

    • http://www.youtube.com/emogamer Christopher Chavez

      Good point. Maps has a LOT of features that your average Android user doesn’t even know about! My friend had a G1 for over 7 months and had no idea Google Latitude was inside of Maps.

      I’m all for Google doing it. Don’t trust 3rd party apps though =p

      • http://www.focuszonedevelopment.com/ Aaron

        Are you also my friend John? ‘cuz I’ve had a G1 for about that long and he was telling me about Latitude, wondering why I wasn’t active on it, and I told him I didn’t have it installed.

        He looked at me funny: “You don’t have Maps installed?”

        Me: “It’s a part of Maps?”

    • http://www.nexsoftware.net Justin Shapcott

      Good point, however, I would like the option to show or not show the shortcut. Perhaps if it were done as a shortcut option, rather than a forced icon in the launcher it would be more widely acceptable.

    • http://Website Matt

      “Non-geeky” users of Android will be less excited about the hidden features now exposed in Maps than they would be about a “newly” installed app appearing on their phone that they didn’t install can’t uninstall.

      So, let’s say my mother sees the update to Maps, installs it, doesn’t think about it again. A week later she sees the Latitude app in the launcher. She doesn’t know what it is but clicks it anyway. She doesn’t know what it’s doing, just that it lists a bunch of her friends, her family and her boss. She says, whatever, hits Home to back out of it, doesn’t think about it again. My mom is now having Latitude track her location at all times. It may not be broadcast to anyone, but it’s tracking it, just be her clicking on a foreign icon on her home screen.

      Let’s say she thinks, “Huh, I should delete this.” She calls me up for instructions on how to delete it, because she forgot from the last time I told her, and I tell her to find the app’s name in the Market and delete it. She can’t find the name and calls me up, freaking out, thinking she’s got a virus or something stupid.

      My mother cannot be blamed for this. Years of PC virus-catching has gotten her to believe that if a random program shows up on her desktop, it means she’s got a virus and someone is stealing her credit card information. Better yet, this app is tracking her location and sending the information to Google. Just imagine how well that will go over.

      This is dead-wrong from a usability perspective, frightening from a security perspective, and just brain-dead from a PR situation on Google’s half. Why would they go out of their way to expose this flaw – and trust me, it is a flaw – and give carte blanche to any app developer to run amok in people’s apps?

      Think Google will pull the Kill Switch on Clark’s app?

  • SliestDragon

    Hey Clark,

    One thing you should mention is that Launcher replacements like ADW and Launcherpro allow you to uninstall apps by holding them over the delete button, and when I held Virus, for example, over the delete button to delete it, Launcherspam was the pop-up app.

    Yeah, not everyone will have a home replacement installed, but they should be aware of this feature to find out what the parent app is.

  • Noice

    I agree… google needs no not only ixney this practice and standardize 1-icon to 1-app, but de-bloat the great app of Maps from all of this other ancillary functionality. Two apps in a row from Google that I will not update to (the other being Voice… the new functionality reduces GV’s usefulness to solve a non-issue).

    • http://Website Paul

      So you want Maps to be de-bloated, which would make Navigation and Places their own apps…with their own icons? But then you only want one Maps icon?! You can’t have it both ways, my friend.

  • http://Website Stella

    I’ve never knew thought about this problem before this article. Android Market should put a restriction or warning to let you know if more than one app will be loaded to the app drawer.

    BTW, I lmao at Kitty Doc. Suspicious Package is my fave. Your icons are a really great. I wish other developers thought hard about their icons.

    • http://twitter.com/G1BRICKED G-Fizzle

      I have no friends. Will you be my friend?!

    • http://www.youtube.com/emogamer Christopher Chavez

      “A lot of app devs aren’t designers. There should be a service where devs can submit their graphics and have them polished for a fee.”
      -Developer of 3Banana

      • http://twitter.com/G1BRICKED G1BRICKED

        Do you want to be my friend Chris?!

        • http://www.youtube.com/emogamer Christopher Chavez

          I’ll need sometime to think about it….

      • http://Website Stella

        Duh! I never thought of the development team not being also designers. What you just said makes so much sense. I’ve seen a lot of really good apps in the market that need just a little design help to polish them up.

        You’re idea is golden. I wish I was a graphic artist/desiger or something.

      • http://Website Demon Lives

        AMEN! I’m a designer but not a developer, and there are apps out there that I would love to give a “redesign” to clean up the graphics, make them more on par with a polished app from the (cough) apple store. I wish more developers shared the design problems with designers. I always thought it’d be cool to have an idea for an app, design how it would look FIRST, then fit that artwork into the development.

  • http://Website deej

    I for one, think that if it’s google, or even T-mobile did it with their my account, you can trust it. ( it comes standard on newer models now btw) Basically, If I had to search more and more for things in the maps, I would stop using it. I like the easier shortcuts. Granted if you don’t like it go to it in the market and uninstall updates.

  • http://Website Hawke

    I like the option of multiple entry points… in fact I wish more apps had the option. But I see abuse !

    Why not only allow one application icon at install, but if add app to homescreen showed options for entry points. think command line options on different windows shortcuts to the same program.

  • http://Website Josh

    I did not experience the same thing with the extra icons. On my Droid Incredible, I updated Google Maps (4.4.0(#4414)) and still had just the 2 icons in my launch tray (Maps and Navigation). I also have Places Directory (as part of the separate app, which recently updated as well) which shows up, but I’m not counting it because it’s a separate installation.

    (Red pin) Places isn’t in the launch tray and isn’t even available to place as a Program or Shortcut to add on my Home Screen if I wanted to do that. Lattitude has never shown in the launcher, but has always been offered as a “shortcut” that I can place on my home screen.

    • http://Website Belgand

      I have the same thing with my Evo and Maps ver. 4.4.0(#4414). The only icons I get are Maps and Navigation. I can’t place the shortcuts on home screens either. What’s interesting is that if I do a global search from my home screen for “places” I get the app and icon just as shown and I can launch it. Otherwise I can’t even find a way to access that particular screen, not even through Maps itself. Thus it would seem that this might be an issue with HTC Sense since this is happening cross-carrier.

      What’s interesting is that while the second photo is clearly an Evo, the top one would appear not to be an HTC phone at all as while the other icons are blurred out the next one after “Navigate” appears to be “NESoid” and not the useless Sense add-on “Navigator”.

      Now comes the question of how HTC managed to make this happen.

      • http://clarklab.net Clark Wimberly

        Good eye! The photo was taken of Angie’s EVO, the post image is a screen grab from my Nexus.

      • http://Website Josh

        Yes, you’re right…After reading your post I did a Global Search and was able to view/enter the App…You would think there would be a similar icon within the Maps program (as Latitude has) or add it as a shortcut (also the way Latitude works). The “Additional Layers” such as restaurants/attractions don’t show up in Maps until you first do a search for them using the Places App. But once you do, they’re there to stay (as far as I can tell).

        But yeah, def. related to to the HTC Sense UI.

  • http://Website shaneaus

    I don’t mind Google doing this as they are the “parent” company and they obviously put a lot of thought into what shortcuts they placed in the App Drawer.

    HOWEVER – I DO think non-Google apps should be restricted from placing additional icons in the drawer.

    If an app needs some additional shortcuts to specific features – they can always add a shortcut to the desktop shortcut menu! NO NEED for additional icons in the App Drawer!!!

    Now that it is pointed out – I could see some malicious app maker exploit this just for fun/because it would annoy people. HOPEFULLY, enough installers would vote it down to nothing in the market and hit up the comments section with enough negative comments to keep any rational person from installing it in short time.

    • http://pro-thoughts.blogspot.com/ vkelman

      @shaneaus, it goes totally against Android philosophy to allow any feature for applications made by Google and to disable it for third-party apps. In Android, all apps are equal regardless of their origin. It’s not iOS.

  • http://Website Evo2DroidX

    Honestly, I deleted the places app since updating the google maps no need for redundant apps with different icons. I wish u had the choice to use the separate icons out keep them asl in one app consolidated with the map. I to love the google maps! Buzz, latitude, nav, places, it’s sweet. But no need for several icons,i only use the maps to access all features. I hope something changes so we don’t get spam and viruses.it’s great the way it is so far but once someone realizes all the info that can be gleaned they’ll target us. Google will protect us…. Right? We’ll see

  • http://katzmatt.com Matt Katzenberger

    I don’t understand how this is a problem. If an app does populate the launcher with extra app icons then the user can just go back to the market (or the manage apps area in settings) and uninstall the app. Even if an application has multiple icons, it’s still only one app.

    • http://clarklab.net Clark Wimberly

      The problem comes when someone doesn’t notice or want the extra icons, possibly not even understanding where they came from.

      It may seem silly to a skilled user but I bet it would confuse the snot out of some people.

  • http://Website Evo2DroidX

    K, I agree with a lot of posters. I guess this won’t be an issue. It will be called out and deleted by most. Them google wool act in our best interest. Because our happiness keeps them happy and wealthy. So, we’re gonna be good.

  • http://Website Phil

    I hate when folk play security researcher and try so hard to create a vulnerability where there is none. A lesson is somewhat needed here now.

    The icons in your launcher drawer do not equal apps. As stated they are simply entry points into the same app. The maker of this so called fake virus is not installing multiple apps on your phone that you didn’t know about. The same code is in the app whether you get multiple icons or not.

    Second since these icons all go to the same app then “they” all have the same permissions. So no matter how many icons the app has if you give an app permission to access your personal data and the internet and it means to do you harm then you are screwed. Again the additional icons don’t equate to any additional code. It’s there no matter how many icons.

    Third I was just saying that I wished there was a way to package multiple apps together and had not thought about simply writing all the activities in one app and providing multiple launchers. I actually was looking for this idea. I don’t think Google is going to do away with this because it makes perfect sense. Suppose you want to write a full suite of apps that covers the dialer, contacts, social networking,texting and I’M. Do you really want people to have to download all of these apps?

    So in a nutshell the only danger this poses is that you can have someone put a ridiculous amount of launchers in your tray. And to fix it once again since it only one app you simply uninstall that app. Please let’s try to thinly smart on this one before we give the iFools something to run and spout off about when there is no security issue to begin with. Again folk….icons do not equate to more code. The malicious code can be there no matter how many icons the app has.

    • http://clarklab.net Clark Wimberly

      The icons in your launcher drawer do not equal apps. As stated they are simply entry points into the same app.

      Just like a website has different pages, an app could have completely segmented usability inside. Click one icon, get an RSS reader, click another, get a photo gallery. Those are basically two apps in the same shell, but installing an RSS reader doesn’t mean you’d want a photo gallery. I know that is a silly example but someone could totally accomplish it.

      Second since these icons all go to the same app then “they” all have the same permissions.

      Say you approved the permission of internet access for what you thought was an RSS reader. Wouldn’t the ‘hidden’ gallery portion have the same permissions? AKA could upload/download pictures from the internet? Just because you approve the core permissions doesn’t mean they can’t be used in shady ways.

      Third I was just saying that I wished there was a way to package multiple apps together and had not thought about simply writing all the activities in one app and providing multiple launchers.

      Like I said in the article, when all the icons match and the usability makes sense, there isn’t a life or death issues here. I’m just worried what less savory people would do.

      So in a nutshell the only danger this poses is that you can have someone put a ridiculous amount of launchers in your tray. And to fix it once again since it only one app you simply uninstall that app.

      If you don’t know which core app dropped all the icons, it might be rather difficult to get rid of them. Sure, us nerds get the trick, but I can guarantee a fresh user wouldn’t.

      • http://pro-thoughts.blogspot.com/ vkelman

        @Clark, I now feel I rather agree with Phil. You said that approving certain permission for RSS feed doesn’t automatically mean user would approve that permission for a gallery. That’s true, but it has nothing to do with one app installing multiple icons in a drawer. There could be just one app, which still includes a “hidden” gallery activity along with an announced RSS activity.

  • http://www.PetersRoadtoHealth.com Peter

    I believe this has been the way Android has worked since the beginning. I see it as a good feature. Rather than installing multiple packages, you can install one package and get multiple “apps” that can work together or do different things.

    One good technical reason for allowing this is that it cuts down on resources. Each package runs on its own virtual machine, which has its own overhead. Having these 4 icons tied to Google Maps allow them all to run in one virtual machine, cutting down on the system overhead.

    It also makes them easier to install and update. Rather than having 4 separate packages to manage, you have one.

    Even if Google limits the number of launcher icons a package can have, that won’t prevent an app from misrepresenting itself and installing an icon that looks like a ring tone.

    This is really spreading FUD in my opinion; you are blowing it way out of proportion.

    It would be nice, however, if there was an easy way to link an icon to the package containing it. There may be, but I haven’t found it yet. The launcher has the information, but I don’t know if there is a way to see it.

    • Noice

      Sure… but if you only want 1 of the 5 separate apps bundled together, you’re hosed.

    • http://www.nexsoftware.net Justin Shapcott

      Honestly, I don’t think anyone truly believes it is a real security threat. But that doesn’t mean it isn’t a potential problem if developers start polluting the launcher with unnecessary icons, or ones that lead to features that only a subset of users would care about.

      I use my launcher drawer to open all of my apps except for Browser, Google Talk, and Twidroid. I rarely use Maps and I NEVER use Places, Latitude or any other extraneous features that Google keeps shoving into the Maps app. But now I have to look at the damn icons every time I want to use an app I actually care about. Of course I am not going to uninstall Maps as it is a useful app, but since I have have no option to remove these icons I am inconvenienced every time I open my launcher. And the same would hold true if I had some other generally useful app that was polluting my launcher. Maybe this article is better interpreted as a plea to developers to think about whether it is truly necessary for the majority of users before forcing it on everyone. Key words being: necessary and majority.

      Is it a security issue? No, probably not.

  • http://Website JGarrido

    In my opinion, yes, 4 (but I count 5?) icons *IS* too many, and I’d much prefer to see those icons on a menu screen after starting Google Maps (if they really feel that they all deserve that level of priority). I think there should at least be a notice of the icon and name of the app that goes into the Application Launcher when you install the app, and the option of not having them loaded (as many Windows applications do during installation).

    • http://clarklab.net Clark Wimberly

      I’d much prefer to see those icons on a menu screen after starting Google Maps

      Great point considering that is what Google has done with other official apps (Google I/O, the new Places, Twitter, Facebook). They need to pick a convention and stick with it.

      • http://Website Matt

        They need to pick a convention and stick with it.

        That could be said of most aspects of Android, sadly.

  • http://Website Matt

    People seem to be missing the point here altogether. Instead, they’d love to just iPhone bash some more. Charming.

    “The icons in your launcher drawer do not equal apps.”
    Ask 100 people what the icons represent, and you’ll get 99 responses: Icons equal apps. Even if they are just launchers, there’s no visual difference between shortcuts and actual applications.

    “the same code is in the app”
    Sure, but this time, the user is responding to a foreign app that may be posing as something else entirely. And that code wouldn’t have to exposed in the original, wanted application, but rather snuck in. And since there’s no review process for applications into the Market, no one would know.

    Picture this scenario: I see a camera app in Market. Let’s call it Kamera+. I download it, click the allow permissions page–sure, it needs access to my phonebook, and the internet, and my camera, and my SD card, whatever. Shows up as a Kamera+ icon. I click it and it is a totally functional app. A great camera, awesome.

    Next day, I go to my launcher to log into Twitter. I never put it on my home screen, been too lazy to do it, use SlideScreen, whatever. I go to the Ts and notice I have two Twitter icons. Identical icons. Huh, that’s strange. Which one is the real Twitter? Let’s say I launch one, then the other–and they look identical. Which is safe to put in my login credentials? One is the real Twitter; the other is a spoof app that Kamera+ put on my home screen.

    I see a new icon in my launcher that says Tips (like LauncherSpam does). Let’s say it’s just a bunch of silly tips on how to use Android. Huh, that’s kind of helpful. But I go back and hit home. Now Tips is still running. I go onto WellsFargo.com to check my balance. Could Tips still be listening to what keys I press? Probably not. But it could do something–something that no one had any idea was happening and would only know if they bothered to check what applications were running on their phone.

    So maybe now I’ve gotten suspicious of these new apps. I go to Manage Applications. I see the Twitter app and delete it, then I go back to check which Twitter is gone. Guess what? I’ve deleted the real Twitter application, and now I have a shortcut to a spoof application. It doesn’t have to even function; think if it just was a full-screen webpage that you filled out with your Twitter information, and then it said, Sorry, can’t connect to Twitter at this time. You’d accept that because Twitter sucks, and now some developer has your Twitter credentials.

    Or I go back and try to delete Tips, that other weird application. Guess what? I can’t find it. I can’t delete it. I do find Kamera+, but I like that app, and no where on the screen does it say that it installed Twitter and Tips. And because I have other apps on my Droid Incredible that I can’t delete – City ID, Visual VM, etc. – I accept this and just let it sit on my phone, doing God knows what with the access I gave it unknowingly.

    This is not acceptable behavior for an operating system. It’s hostile to users and is opening some really, really wide doors for developers to do some scary things. Clark isn’t saying this is a huge security risk right now. He’s saying it could be a problem, and I think he proved his point quite well.

    Market is already filled with tons of crap: apps that are unregulated, spammy, just wrappers for mobile sites, and just plain crap. Since Google doesn’t actively regulate (they’ll hopefully pull the plug on bad apps, but that’s reactionary) there’s no stopping this kind of stuff. And the fact that people are so trustworthy of Google is scary. Take the Latitude applic… I mean, launcher, for example. When you hit it, you are automatically signed up for Latitude. You really want to broadcast your location directly to Google and be one tap away from your friends seeing your location? It’s shady at best, really big time scary at worst.

    Here’s one last nugget to chew on: Imagine if this were Apple. Let’s say you updated iBooks on your iPhone. And you had 5 more icons show up on your phone, one for the Bookstore, one for buying iPhone cases, one for direct access to Winnie the Pooh, and one of Steve Jobs’ face, just cause. People would be crapping themselves, calling it a major fail. Why is it somehow different for Android?

    Why is bloatware from phone carriers okay? Why are spoof apps/extra shortcuts okay? Why can’t I delete these shortcuts that I didn’t ask for? Why do people insist that Android is “more open” and “gives you more control” when stuff like happens?

    And why will almost everyone try to just claim that I’m an Apple fanboy instead of listening to these valid concerns?

    • Noice

      Everything in your post is perfectly valid… except the people calling you an “Apple Fanboy”. Not one person has, even used the words “Apple”, “Fanbo*” or anything else even remotely related to those sentiments.

      • http://Website Matt

        I’ve been called it numerous times on this blog. I was really referring to the iFools jab earlier. As if people who had iPhones were morons and everyone who uses Android was superior. Guess I could have left it out.

      • http://pro-thoughts.blogspot.com/ vkelman

        @Noice, too many words, too big heep of thoughts, too unclear what you tried to say.

    • http://clarklab.net Clark Wimberly

      Right on, man!

      You got my point exactly. There are a lot of details here that don’t matter (my app, Google Maps implementation, etc). The only thing that matters is the path this could lead to if not controlled properly.

    • http://pro-thoughts.blogspot.com/ vkelman

      @Matt, too many words, too big heep of thoughts, too@Noice, too many words, too big heep of thoughts, too unclear what you tried to say.

      (@Noice, I’m sorry I didn’t mean you)

  • http://MarketInstallAccessWarning Berge

    I would contend that upon installation of any .apk it list access warning item titled ‘Installation’ when the number of launcher icons installed from said .apk is greater than one.

    This would allow the practice (as it is useful) as this case, but would add a warning towards those intending to see it used as spam, or (more likely) those who write bad apps…

    • http://Website Matt

      That’s a great idea! The only problem I would see is that people tend to ignore that screen and just click accept blindly. Google has really added too many warning on that page. I’ve watched people just double tap to get past that screen–it’s like a really huge EULA and redundant warnings that people just click fast to get past.

      What if it were an option within Maps to add shortcuts to Places, Latitude, etc. when you launch the app for the time? I agree that having Places as a shortcut is helpful; I just want to know that it is getting added.

      • http://clarklab.net Clark Wimberly

        What if it were an option within Maps to add shortcuts to Places, Latitude, etc. when you launch the app for the time? I agree that having Places as a shortcut is helpful; I just want to know that it is getting added.

        Agreed. I think the app shouldn’t be allowed to do it by default but that it could easily spawn icons upon user instruction.

        Take Dolphin Browser HD, for example. As part of its setup process it asks you if you’d like to add the icon to the homescreen. Later you can find it in the settings. Totally responsible approach to automated icon placement.

      • http://pro-thoughts.blogspot.com/ vkelman

        “What if it were an option within Maps to add shortcuts to Places, Latitude, etc. when you launch the app for the time? I agree that having Places as a shortcut is helpful; I just want to know that it is getting added.”

        @Matt,
        I think it’s great idea, much better than silently placing those additional icons like it’s done now.

  • http://Website Andrew

    Why does it matter? Google maps is giving us free traffic, public transit directions, GPS navigation, directory index, and an interactive map. Again all for FREE. I would pay $15 for an app that had all of this. I personally have about 30 apps i click on way less than these, and often use the navigation and places shortcuts instead of maps.

    • http://Website Matt

      That’s not the point. Anyone can do this, not just Google. That means an evil developer could spawn a bunch of spoof apps to mess around with someone’s phone if they weren’t too saavy on what is actually going on.

      Shortcuts are a great idea – just not ones that show up announced with no way to remove them and no explanation as to how they got there.

  • http://pro-thoughts.blogspot.com/ vkelman

    @Clark, I think you are absolutely right. It looks like a dangerous security hole in Android. An application must be under restriction which dictates it announced all the “side” apps it’s installing alongside. Hopefully, Google will fix it ASAP.
    Having said it, I believe none of your companion apps were getting any privileges which weren’t announced by main asp, right?

    • http://clarklab.net Clark Wimberly

      All of my companion apps were anything more than a single image file. Even if someone coded a full blown app though, you’re right, the “hidden app” could never have any higher privileges than the core app. That doesn’t mean, however, that the privileges would be used in the correct way.

      Overall I think the risk of spam and crapware will be the biggest threat. Not so much as a full-blown malicious application, but more single page ads, like the “free mp3s” in the demo. Or online dating trials. Or weather apps that won’t go away and are filled with ads.

      Security risk might be a bit high, I think mainly we are just looking at a highly, highly annoying epidemic.

  • http://Website ant

    I find it annoying to have more than one icon for one app. I noticed maps do it a long time ago…It’s redundant…

  • Eyejon

    My first reaction to this article was it was irresponsible of the writer! I hope the flood doors have not been opened for all the baddies out there to flood the market with viruses, spam, etc.

    I already had become uncomfortable with installing apps after finding out the Droid X comes with apps that can’t be uninstalled easily.

    I actually reset my Droid X to factory settings and have not installed any apps since.

    I think the only way I might download an app is if it is from the product’s web site. I also might wait until some type of certification/assurance the app is free of any untoward side effects.

    I regret having to be paranoid about this but I think in today’s world you have to be extremely careful. Even more so since these phones are made to connect directly to the owner’s computer!

    As was overused in Star Wars I, II, & III: “I have a bad feeling about this!”

  • http://Website B

    So do we know for certain that any and every developer has access to this option, and if so, have you guys spent as much time voicing your concern to google as you have developing that spam app?

    • http://Website Matt

      Did you miss the part where he built an app that did the same thing? Android And Me is just like any other Joe Developer, so anyone with 25 bucks and an .APK can do it.

      • http://Website B

        Nope, didn’t miss it. I was just asking for clarification, because one example doesn’t answer all questions, and I’m unsure of the submission process myself. It was just a simple inquiry.

  • http://leifandersen.net Leif Andersen

    I disagree with your point. If an app puts a bunch of spam on your desktop, than you’d be perfectly capable of realizing, and deleting it. Furthermore, even though there is a bunch of spam in the app, the android OS makes it really easy for users to remove stuff they don’t want. Also allowing for multiple apps, would allow for people to release app bundles in one app, which I really like. And if you don’t want one particular app in the bundle, either the dev could also release them individually, or you could go somewhere else that does what you want.

    • http://Website Matt

      Do you check your launcher every time you add a new app, scouring to see if there are any extra icons? Even if you do, there are many, many users who don’t–and frankly, shouldn’t have to.

      It’s actually not easy to remove a shortcut. Try deleting the Places icon. Or Latitude. You can’t because you really have uninstall Maps. There’s zero indication in the Market.apk that those shortcuts were created and are tied to another application. If you install LauncherSpam, you end up with “Apps” (that are really just spoofs/shortcuts to PNG files) that don’t show up Market’s Downloads screen or in Settings’ Manage Applications screen.

      This isn’t really about allowing multiple apps – the app is always just one, whether it has the functionality of many apps. What they’re talking about here is multiple icons that could open the door to unsavory apps. No one is saying we should take away the ability to have apps that have multiple functions, just the unauthorized addition of shortcuts/icons to the launcher.

  • http://Website foebea

    I really want the virus logo in a shirt to. No text needed, just the red image on black, as with the thundercats tshirt. Ill give you 20 bucks easily.

    As to the point, i expect this story to flood the nets, great job guys!

  • http://blog.artesea.co.uk artesea

    I think there is an issue here.
    You go to the market and it says you have 10 updates. As you have Froyo you press Update All.
    Several days later in the app draw you have several unknown icons. How do you know which app to uninstall?
    And if the parent app needed the Internet it would be easy to add spoof Facebook and Twitter insider apps, using the official icons which just asked for username / password sent them to an evil database and just returned a Fail Whale error.

  • http://Website Simon Templar

    I agree, it is potentially an issue. If it were possible to force an installation process that prompts a user through each icon being placed may resolve this issue.

  • http://tekbuzz.net John

    I think they need to make an icon / launcher manager. So we can organize, reorder, relabel, categorize, and hide icons from our launcher.

    I think what Google did is a smart move. Like others apps most people don’t download without knows how they going to use the app like Google Goggles, Google buzz. I rather have one app installed with few icons then install each one individually.

    2nd to spam down loader I think you just be careful what you install in your phone. The label “Smartphone” relates to your phone is like a PC. Just like your PC dont download stuff you dont know. Every body wants openness and it comes with a price.

  • http://Website thepwneddroid

    Wow, News and Weather crashed when I opened up the fake virus app, what a coincidence.

  • Val-Zho

    “with which application they are associated with” … looks like Google is spawning extra “with”s in your writing! Has it spread this far already!!!

  • http://www.kittehface.com Jeremy Statz

    Not sure if anyone has mentioned this, but support for multiple Activities per package has been around since Android started. If it’s not a problem now I don’t see why Google Maps making use of four or five icons for (largely) sensible reasons indicates anything scary.

  • BlueJayofEvil

    Why not have the Market tell you which icons will be installed by each app upon viewing the permissions page? And in case someone forgets, also have the info in the Applications menu in the Settings section. This would allow users to make an informed decision about possible extra icon “infestation” in the app drawer as well as not put too much of a burden (if any) on developers.

    Just a thought.

  • http://Website Robin

    It´s not much different as for example the start menu -> all programs in Windows …. and I never heart anybody complain about that.

    The only thing missing is the ability for the user to remove icons from the app drawer. A great way would be long press on the icon (just like how you drop the icon to a desktop) and then drop it on the trashcan.

  • http://www.theandroidsoul.com Kapil

    It’s Okay… It’s Funny too.

  • http://Website Des Smitg

    You guys raise a very good point. Hopefully google will lock this down in the next API release.

    Good work, this is what a true Amdroid news and community site is all about

    Regards,
    Des

  • http://Website Roger Haynes

    I still haven’t updated Google Maps on my Nexus because of this same exact reason. Navigation and Maps – Ok fine. That wasn’t too pushing it. But then when you go Maps, Navigation, Places and Latitude that’s a lil over the top. I found the maps 4.3.0 apk and installed it to my phone removing the older 4.2.0 one just so i can have the latest without the junk.

  • http://Website The Voice of Reason

    Google Maps? People still use that?

  • http://Website Emil Ghtoing

    That is the first thing I noticed when I updated Google Maps. I wish they included Places as an option when accessing the menu within the Maps app. Having these icons separated isn’t that ideal when automatically thinking of Maps as the first place to go.

  • LjNj_RC51

    Is there any thing I can do about apps that just run without notice? I love my EVO, but hate all the apps that run own their own. If this were a PC they would be runaway apps. That’s why i won’t download a lot of apps from the market. I am willing to try more app on my wife’s Iphone than my EVO.

  • http://xenicalprix.eu xenical prix

    To meridian blood.If ancient the as using an the generates of according all the both. Afternoon it is important that you a a consultation so like they NEED caffeine just how keep your energy of this through your often and where that the is is weakness somewhere.